We need to find the 4th flag now.

Since we know that obtaining the 5th flag requires us to successfully logging into the page, we must first find the correct username and password.

The challenge creator has informed us that no brute forcing is necessary, therefore it's useless to attempt bruteforcing for the username and password.

After checking the repository, we haven't found anything interesting yet or any clue for the 4th flag.

Next, examining the list of paths again, we notice an interesting users.php endpoint in the /app/api directory.

And yes! We discovered the 4th flag 🏁 at the bottom